medium Email Security

Missing SPF/DMARC Records

SPF and DMARC records are missing or misconfigured, allowing attackers to spoof emails from your domain.

Severity
medium
Time to Fix
1-2 hours (+ monitoring period)
Difficulty
medium
OWASP
A05:2021 — Security Misconfiguration

What is Missing SPF/DMARC Records?

SPF (Sender Policy Framework) specifies which mail servers are allowed to send email from your domain. DMARC tells receiving mail servers what to do when SPF/DKIM checks fail. Without these, attackers can send spoofed emails (phishing, CEO fraud, invoice fraud) that appear to come from your domain, damaging your brand and potentially defrauding your customers.

Why It Matters to Your Business

Email spoofing enables phishing attacks that appear to come from your domain. Customers trust emails from your domain, making them more likely to click malicious links or wire money to attackers. The FBI reports $2.7B in losses from business email compromise (BEC) in 2022 alone.

How to Fix It

Add SPF, DMARC, and DKIM records to your DNS:

SPF (TXT record on yourdomain.com):
  v=spf1 include:_spf.google.com include:amazonses.com ~all
  (replace with your actual mail providers)

DMARC (TXT record on _dmarc.yourdomain.com):
  Start with monitoring: v=DMARC1; p=none; rua=mailto:[email protected]
  After 1-2 weeks of monitoring, switch to quarantine:
  v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
  Eventually enforce: v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

DKIM (depends on your mail provider):
  Google Workspace: Setup DKIM in Admin Console
  AWS SES: Enable DKIM signing per domain
  Microsoft 365: Setup DKIM in Defender portal

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-290: Authentication Bypass by Spoofing
Detected Bydns, email_security scanner(s)
Severity Levelmedium

How 2MNY Security Can Help

Check if your website has this vulnerability

Our dns, email_security scanner checks for this issue automatically.

Scan My Website Free